package rbac.authz

import rego.v1

# user-role assignment
user_role := {
    "alice": ["engineering","webdev"],
    "bob": ["hr"],
    "carol": ["viewer"]
}

# role-permission assignment
role_permissions := {
    "engineering":[{"action":"read","object":"server123"}],
    "webdev":[{"action":"read","object":"server123"},{"action":"write","object":"server123"}],
    "hr":[{"action":"read","object":"salary"}],
}

#logic tha implements RBAC.
default allow = false
allow if {
    #lookup the list of roles for the user
    roles := user_role[input.user]
    # for each role in that list
    r := roles[_]
    # lookup the permissions for that role r
    permissions := role_permissions[r]

    #for each permission
    p := permissions[_]
    #check if the permission granted to r matches the user's request
    p == {"action": input.action, "object": input.object}
}